Tag Archive for: Gang

Ransomware gang targets nonprofit providing clean water to world’s poorest

/in


Water for People, a nonprofit that aims to improve access to clean water for people whose health is threatened by a lack of it for drinking and sanitation, is the latest organization to have been hit by ransomware criminals.

The ransomware-as-a-service gang Medusa listed Water for People on its darknet site Thursday night, threatening to publish stolen information unless the nonprofit pays a $300,000 extortion fee.

A Water for People spokesperson told Recorded Future News: “The accessed data predates 2021, did not compromise our financial systems and no business operations were impacted. We’re working with top incident response firms, as well as our insurance company and hardening our systems with our security team to prevent future incidents.”

The attack follows the nonprofit receiving a $15 million grant from MacKenzie Scott, the billionaire ex-wife of Amazon founder Jeff Bezos. There is no evidence that Water for People was specifically targeted because of this donation.

The organization operates in nine different countries, from Guatemala and Honduras in Latin America, to Mozambique in Africa and to India, and aims to improve water access for more than 200 million people over the next eight years.

“While the recent cyber attack from Medusa Locker Ransomware has not impacted our important work fighting the global water crisis and equipping communities with lasting access to clean water and sanitation services, it does reflect that even non-profits like ours are in the cross-hairs of these threat actors. We attempted good-faith negotiations that led nowhere,” the spokesperson added.

It is not the first time the Medusa gang’s activities have impacted an organization associated with water provision, although the gang and its affiliates appear to work opportunistically, according to new analysis by Palo Alto Networks’ Unit 42.

Last year, an Italian company that provides drinking water to nearly half a million people was hit by the gang.

Back in 2021, U.S. law enforcement agencies said ransomware gangs in general had hit five water and wastewater treatment facilities in the country — not including three other widely reported cyberattacks on water utilities.

Despite…

Source…

Ransomware gang starts leaking data stolen from Quebec university

/in


The LockBit ransomware gang has started releasing data it says was stolen last month from a Quebec university.

The data is from the University of Sherbrooke, with a student body of about 31,000 and 8,200 faculty and staff. Sherbrooke is a city about a two-hour drive east of Montreal.

Asked in an email to comment on the action by LockBit, university Secretary General Jocelyne Faucher referred to the institution’s Dec. 7 statement that said, “certain data from one research laboratory has been compromised.” The incident has had no impact on the university’s activities, the statement added. An investigation continues.

According to a news report on the French language Radio Canada, the university said last month it had not been hit with ransomware.

The university hasn’t said if the compromised data included personal information or intellectual property.

Threat actors go after the education sector for several reasons: First, they believe public school boards can be pressured into paying to get access back to stolen data about children. Second, they believe post-secondary institutions will be subject to pressure from students to pay for the return of stolen personal and research data.

According to Sophos’ most recent annual ransomware report, the education sector was the most likely to have experienced a ransomware attack in 2022. Eight per cent of educational institutions surveyed said they had been hit. “Education traditionally struggles with lower levels of resourcing and technology than many other industries,” the report says, “and the data shows that adversaries are exploiting these weaknesses.”

In June, Ontario’s University of Waterloo interrupted a ransomware attack after being tipped off by the RCMP. The university’s on-premises email server was compromised, but “only a tiny number of users were impacted,” the institution said. All university IT users had to re-set their login passwords.

One of the most recent cyber attacks on a Canadian university happened in December, when Memorial University’s Grenfell campus in Corner Brook, NL, was hit. According to the CBC, IT services at the Marine Institute were temporarily shut down. The start of the new…

Source…

Xerox Business Solutions targeted by INC Ransom ransomware gang

/in


Xerox Holdings Corp. subsidiary Xerox Business Solutions has suffered from a data breach following a ransomware attack.

The attack first came to light on Dec. 29 when the INC Ransom ransomware gang added Xerox Business Solutions to its dark web leaks site. According to Bleeping Computer, the gang claimed to have stolen sensitive data and confidential documents from XBS systems.

Xerox has confirmed the attack, saying in a statement that it experienced a “security incident” that was detected and contained by company cybersecurity personnel. The attack was limited to XBS U.S. and Xerox is working with outside cybersecurity experts to undertake a thorough investigation and take steps to secure the company’s information technology environment.

According to the compamy, the attack had no impact on its corporate systems, operations or data. However, Xerox does confirm that “limited personal information” may have been affected. Those affected will be informed as required.

INC Ransom first emerged on the scene in July of last year and positioned itself as providing a service to their victims. As detailed by SentinelOne Inc., INC Ransom victims are told to pay the ransom demanded to “save their reputation” as the threat actors indicate their intention to reveal their methods, making the victim’s environment “more secure” as a result.

The gang is known to have targeted multiple industries with little or no discrimination, with attacks across healthcare, education and government entities. Previous INC Ransom victims include BPG Building Partners Group GmbH, DM Civil LLC, Ingo Money Inc., Nicole Miller Inc., Pro Metals LLC, Springfield Area Chamber of Commerce and Trylon Corp.

Although ransomware attacks have been a proverbial dime a dozen, where this story takes a twist is that there is some suggestion that Xerox may be in discussions to pay the ransom being demanded.

“While it remains unclear whether Xerox is in negotiations with INC Ransom, the removal of their leaked documents implies ongoing discussion may be taking place,” Darren Williams, founder and chief executive of ransomware prevention company BlackFog Inc., told SiliconANGLE. “Given that data…

Source…

Cactus RANSOMWARE gang hit the Swedish retail and grocery provider Coop

/in


Cactus RANSOMWARE gang hit the Swedish retail and grocery provider Coop

Pierluigi Paganini
January 01, 2024

The Cactus ransomware group claims to have hacked Coop, one of the largest retail and grocery providers in Sweden.

Coop is one of the largest retail and grocery providers in Sweden, with approximately 800 stores across the country. The stores are co-owned by 3.5 million members in 29 consumer associations. All surplus that is created in the business goes back to the members or is reinvested in the business, which creates a circular cycle.

The Cactus ransomware group claims to have hacked Coop and is threatening to disclose a huge amount of personal information, over 21 thousand directories.

The Cactus ransomware group added Coop to the list of victims on its Tor leak site.

Cactus ransomware operation Coop

Threat actors have published ID cards as proof of hack.

In July 2021, the Swedish supermarket chain Coop was the first company to disclose the impact of the supply chain ransomware attack that hit Kaseya.

The supermarket chain Coop shut down approximately 500 stores as a result of the supply chain ransomware attack that hit the provider Kaseya.

Coop doesn’t use Kesaya software, anyway, it was impacted by the incident because one of their software providers does.

According to BleepingComputer, the impacted provider was the Swedish MSP Visma who manages the payment systems for the supermarket chain.

Visma confirmed they were affected by the Kaseya cyber attack that allowed the REvil ransomware to encrypt their customers’ systems.

The Cactus ransomware operation has been active since March 2023, despite the threat actors use a double-extortion model, their data leak site has yet to be discovered.

Kroll researchers reported that the ransomware strain outstands for the use of encryption to protect the ransomware binary.

Cactus ransomware uses the SoftPerfect Network Scanner (netscan) to look for other targets on the network along with PowerShell commands to enumerate endpoints. The ransomware identifies user accounts by viewing successful logins in Windows Event Viewer, it also uses a modified variant of the open-source PSnmap Tool.

The Cactus ransomware relies on multiple legitimate…

Source…